chore(ci): tighten dependency update gates
- Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions. - Add dependency-review workflow for dependency manifest and lockfile pull requests. - Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5.
This commit is contained in:
parent
bc8d47aaa2
commit
d0b0a18e3b
2 changed files with 37 additions and 10 deletions
19
.github/dependabot.yml
vendored
19
.github/dependabot.yml
vendored
|
|
@ -9,20 +9,16 @@ updates:
|
||||||
day: monday
|
day: monday
|
||||||
time: "09:00"
|
time: "09:00"
|
||||||
timezone: Etc/UTC
|
timezone: Etc/UTC
|
||||||
cooldown:
|
open-pull-requests-limit: 0
|
||||||
default-days: 3
|
|
||||||
open-pull-requests-limit: 5
|
|
||||||
commit-message:
|
commit-message:
|
||||||
prefix: chore
|
prefix: chore
|
||||||
prefix-development: chore
|
prefix-development: chore
|
||||||
include: scope
|
include: scope
|
||||||
groups:
|
groups:
|
||||||
npm-minor-and-patch:
|
npm-security:
|
||||||
|
applies-to: security-updates
|
||||||
patterns:
|
patterns:
|
||||||
- "*"
|
- "*"
|
||||||
update-types:
|
|
||||||
- minor
|
|
||||||
- patch
|
|
||||||
|
|
||||||
- package-ecosystem: github-actions
|
- package-ecosystem: github-actions
|
||||||
directory: /
|
directory: /
|
||||||
|
|
@ -31,9 +27,12 @@ updates:
|
||||||
day: tuesday
|
day: tuesday
|
||||||
time: "09:00"
|
time: "09:00"
|
||||||
timezone: Etc/UTC
|
timezone: Etc/UTC
|
||||||
cooldown:
|
open-pull-requests-limit: 0
|
||||||
default-days: 3
|
|
||||||
open-pull-requests-limit: 3
|
|
||||||
commit-message:
|
commit-message:
|
||||||
prefix: chore
|
prefix: chore
|
||||||
include: scope
|
include: scope
|
||||||
|
groups:
|
||||||
|
github-actions-security:
|
||||||
|
applies-to: security-updates
|
||||||
|
patterns:
|
||||||
|
- "*"
|
||||||
|
|
|
||||||
28
.github/workflows/dependency-review.yml
vendored
Normal file
28
.github/workflows/dependency-review.yml
vendored
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
name: Dependency Review
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "**/package.json"
|
||||||
|
- "**/package-lock.json"
|
||||||
|
- "**/pnpm-lock.yaml"
|
||||||
|
- "pnpm-workspace.yaml"
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
dependency-review:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v6
|
||||||
|
|
||||||
|
- name: Dependency Review
|
||||||
|
uses: actions/dependency-review-action@v5
|
||||||
|
with:
|
||||||
|
fail-on-severity: high
|
||||||
|
fail-on-scopes: runtime, development, unknown
|
||||||
|
license-check: false
|
||||||
|
show-patched-versions: true
|
||||||
Loading…
Reference in a new issue